Online Privacy, Security and Password Management FOSSASIA Summit 2021 2021Mar18 @ noon Singapore der.hans CDE Object Rocket, a rackspace company https://www.ObjectRocket.com/ Yes, we’re hiring :) ObjectRocket https://www.ObjectRocket.com/careers/ Rackspace Technologies https://rackspace.jobs/ FOSSASIA Summit 2021 © 2007-2021 der.hans | https://floss.social/@FLOX_advocate | https://www.LuftHans.com/talks/ Upcoming Presentations • List of Some Upcoming and Previous Talks and Publications - https://www.LuftHans.com/talks • Upcoming talks - LibrePlanet - Regular expression workshop - 2021Mar20 15:40 local (19:40 UTC) (English) FOSSASIA Summit 2021 © 2007-2021 der.hans | https://floss.social/@FLOX_advocate | https://www.LuftHans.com/talks/ Social Media and Fediverse • FLOX_advocate on Mastodon - https://floss.social/@FLOX_advocate • LuftHans on PLUME - https://fediverse.blog/~/LuftHans • LuftHans on Freenode IRC - #SeaGL, #LOPSA, #PLUGaz and #LibreLounge FOSSASIA Summit 2021 © 2007-2021 der.hans | https://floss.social/@FLOX_advocate | https://www.LuftHans.com/talks/ First off, IANAL FOSSASIA Summit 2021 © 2007-2021 der.hans | https://floss.social/@FLOX_advocate | https://www.LuftHans.com/talks/ And, Specifically… FOSSASIA Summit 2021 © 2007-2021 der.hans | https://floss.social/@FLOX_advocate | https://www.LuftHans.com/talks/ More Importantly, IANYL If you need legal review for any ideas from this talk, please talk to YOUR lawyer FOSSASIA Summit 2021 © 2007-2021 der.hans | https://floss.social/@FLOX_advocate | https://www.LuftHans.com/talks/ Why do we need security? Spectre/Meltdown (again) — Equifax admin/admin — Heartbleed — Apple SSL — Apple iCloud — Home Depot — Target — Yahoo! x 2 — LinkedIn x 3 — Eharmony — Last.FM — TJ Maxx / Marshalls — Adobe — Nieman Marcus — 7-eleven — Barnes and Noble — TriCare x 2 — Mat Honan — Jennifer Lawrence — Kate Upton — Rhianna FOSSASIA Summit 2021 © 2007-2021 der.hans | https://floss.social/@FLOX_advocate | https://www.LuftHans.com/talks/ Cost "They could have used my e-mail accounts to gain access to my online banking, or financial services. They could have used them to contact other people, and socially engineer them as well." – Mat Honan FOSSASIA Summit 2021 © 2007-2021 der.hans | https://floss.social/@FLOX_advocate | https://www.LuftHans.com/talks/ What’s really at Stake? "more than a year’s worth of photos, covering the entire lifespan of my daughter" – Mat Honan "including those irreplaceable pictures of my family, of my child’s first year and relatives who have now passed from this life" – Mat Honan FOSSASIA Summit 2021 © 2007-2021 der.hans | https://floss.social/@FLOX_advocate | https://www.LuftHans.com/talks/ Data Collection • 90% of data ever collected was collected in last 2 years - from 2019 Freakanomics podcast FOSSASIA Summit 2021 © 2007-2021 der.hans | https://floss.social/@FLOX_advocate | https://www.LuftHans.com/talks/ First Things First • Use only trusted software sources! • Install Security Updates! FOSSASIA Summit 2021 © 2007-2021 der.hans | https://floss.social/@FLOX_advocate | https://www.LuftHans.com/talks/ Encryption Example • Postcard vs Envelope FOSSASIA Summit 2021 © 2007-2021 der.hans | https://floss.social/@FLOX_advocate | https://www.LuftHans.com/talks/ When to Use Encryption • All the time! • Every time! • HTTPS Everywhere browser Add-on from the EFF FOSSASIA Summit 2021 © 2007-2021 der.hans | https://floss.social/@FLOX_advocate | https://www.LuftHans.com/talks/ What to Encrypt • Log in credentials • Personal (identifying) information - Name - Address - Phone Number - Credit Card Information - Medical Information - Private Photos - Shoe Size FOSSASIA Summit 2021 © 2007-2021 der.hans | https://floss.social/@FLOX_advocate | https://www.LuftHans.com/talks/ Password Bleed Over • Same password at multiple sites? • One site compromise could quickly expose your data at multiple sites • Use different passwords for every site! FOSSASIA Summit 2021 © 2007-2021 der.hans | https://floss.social/@FLOX_advocate | https://www.LuftHans.com/talks/ Credentialed access • Credentials are the combination of tokens used for authentication FOSSASIA Summit 2021 © 2007-2021 der.hans | https://floss.social/@FLOX_advocate | https://www.LuftHans.com/talks/ Are you you? • Username, often email address • Password • Security Questions • PIN • Multifactor Authentication (MFA) • Body Parts FOSSASIA Summit 2021 © 2007-2021 der.hans | https://floss.social/@FLOX_advocate | https://www.LuftHans.com/talks/ Unique • Every one of those should be unique to every site • Each item, not just combinational uniqueness • Some restrictions may apply FOSSASIA Summit 2021 © 2007-2021 der.hans | https://floss.social/@FLOX_advocate | https://www.LuftHans.com/talks/ Random String • Random sequence of text gibberish • Longer and more random are both better • Use - Letters ( upper case and lower case ) - Numbers - Punctuation ( !@#$%^&*.,/:\; ) • Be cautious of - Similar looking characters - Underline and dash - Spaces and tabs • Example: fnYV@tki4M’jj;iTW]21 FOSSASIA Summit 2021 © 2007-2021 der.hans | https://floss.social/@FLOX_advocate | https://www.LuftHans.com/talks/ Random Word Salad • Random sequence of unrelated words • Longer and more random are both better • Use multiple languages if you can • Declension, conjugation, etc. • Add mid-word capital letters • Use randomish punctuation • Example: purPlish lechE verFaehrt sInging liberte • XKCD Example: correct battery horse staple FOSSASIA Summit 2021 © 2007-2021 der.hans | https://floss.social/@FLOX_advocate | https://www.LuftHans.com/talks/ ERROR: /dev/brain read-write failure But, Hans, that’s way too much to memorize and it’s not near as interesting as baseball stats… FOSSASIA Summit 2021 © 2007-2021 der.hans | https://floss.social/@FLOX_advocate | https://www.LuftHans.com/talks/ Password Managers • Securely store credential information • Easy to use for authentication FOSSASIA Summit 2021 © 2007-2021 der.hans | https://floss.social/@FLOX_advocate | https://www.LuftHans.com/talks/ Password Manager Requirements • Free Software • Hidden Password Entries (* not hunter2) • Locally Encrypted, Operating System Independent File • Data Liberation • Automagic Clipboard Entry Clearing • Easy Copy and Paste • Configurable Password Generator • Space For Notes • Entries Organization FOSSASIA Summit 2021 © 2007-2021 der.hans | https://floss.social/@FLOX_advocate | https://www.LuftHans.com/talks/ Password Manager Bonus Features • Human Readable Password Generation • Random Word Salad Generation • Pronunciation Guide • Random String Generation from Anywhere in UI • Secondary Key/Value Storage • Copy/Paste of Secondary Key/Value • Data Export with Sync • Site safety verifications • Automated password changes FOSSASIA Summit 2021 © 2007-2021 der.hans | https://floss.social/@FLOX_advocate | https://www.LuftHans.com/talks/ My Recommendations • GNU/Linux or BSD Device - KeePassXC (keepassxc) - KeePassX (kpcli) • Web - Bitwarden - Nextcloud · WebAppPassword · Passman · Passwords • Android - KeePassDroid • Other Desktop - KeePass FOSSASIA Summit 2021 © 2007-2021 der.hans | https://floss.social/@FLOX_advocate | https://www.LuftHans.com/talks/ One Password to Hold Them All FOSSASIA Summit 2021 © 2007-2021 der.hans | https://floss.social/@FLOX_advocate | https://www.LuftHans.com/talks/ One Password to Protect Them All FOSSASIA Summit 2021 © 2007-2021 der.hans | https://floss.social/@FLOX_advocate | https://www.LuftHans.com/talks/ Passphrases XKCD: Password Strength - https://xkcd.com/936/ FOSSASIA Summit 2021 © 2007-2021 der.hans | https://floss.social/@FLOX_advocate | https://www.LuftHans.com/talks/ Pronounceable Strings • Like Dr Seuss, but make less sense • Useful for over the phone • Avoid lookalike characters - 1 l - 0 O • Pronunciation guides help - werecbyivofejmu (wer-ec-byiv-of-ej-mu) FOSSASIA Summit 2021 © 2007-2021 der.hans | https://floss.social/@FLOX_advocate | https://www.LuftHans.com/talks/ I am me! Authentication is identifying that you are you FOSSASIA Summit 2021 © 2007-2021 der.hans | https://floss.social/@FLOX_advocate | https://www.LuftHans.com/talks/ How do you prove it? • 3 types of authentication data - What you know · Ex: username, password, PIN - What you have · Ex: ID, smartphone app, physical token - What you are · Ex: fingerprint, DNA, facial recognition, retina scan FOSSASIA Summit 2021 © 2007-2021 der.hans | https://floss.social/@FLOX_advocate | https://www.LuftHans.com/talks/ 4th Element: You’ve been tokenized • Cookies • Device ID FOSSASIA Summit 2021 © 2007-2021 der.hans | https://floss.social/@FLOX_advocate | https://www.LuftHans.com/talks/ 5th Element FOSSASIA Summit 2021 © 2007-2021 der.hans | https://floss.social/@FLOX_advocate | https://www.LuftHans.com/talks/ ID: Username • random string: banks, shopping, utilities - Ex: eddyityoz • recognizable handle: public and social sites - Ex: FLOX_advocate FOSSASIA Summit 2021 © 2007-2021 der.hans | https://floss.social/@FLOX_advocate | https://www.LuftHans.com/talks/ ID: Email Address • Subaddressing - [email protected] - username+[email protected] • Also great for mail filtering - username+[email protected] • Limited use for social networking - Friends and colleagues · I know [email protected], please let us converse - Great for notifications from social networks · username+[email protected] FOSSASIA Summit 2021 © 2007-2021 der.hans | https://floss.social/@FLOX_advocate | https://www.LuftHans.com/talks/ ID: Using Subaddressing • Unique ID and email address for every site • Use a random token